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CCNA Security Lab 16 - Cisco IOS Auto Secure - CLI 

Lab 16 

Cisco IOS Auto Secure 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how use 
the Auto Secure feature available in Cisco IOS software. 

Lab Purpose: 

The Cisco IOS Auto Secure feature simplifies the security configuration of a 
router and hardens the router configuration. 

Lab Difficulty: 

This lab has a difficulty rating of 5/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use any single router to complete this lab: 



Lab 16 Configuration Tasks 
Task 1: 

Configure the hostname on R1 as illustrated in the diagram. 

Task 2: 

Enable the Auto Secure feature on R1 and secure the router Management plane 
only. Configure parameters of your choice. The objective here is to familiarize 
you with this feature. 

Task 3: 

Configure R1 so that all passwords (i.e. enable password, enable secret, VTY, 
etc) entered on the router must be at least 8 characters in length. In addition 
to this, configure R1 so that only 2 unsuccessful login attempts are permitted, 
and if this threshold is exceed a log message should be generated and stored in 






the local router buffer. 


Lab 16 Configuration and Verification 
Task 1: 

Router(config)#hostname R1 

Rl(config)#exit 

Rl# 

Task 2: 

Rl#auto secure management 

— AutoSecure Configuration — 

*** AutoSecure configuration enhances the security of 
the router, but it will not make it absolutely resistant 
to all security attacks *** 

AutoSecure will modify the configuration of your device. 

All configuration changes will be shown. For a detailed 
explanation of how the configuration changes enhance security 
and any possible side effects, please refer to Cisco.com for 
Autosecure documentation. 

At any prompt you may enter'?' for help. 

Use ctrl-c to abort this session at any prompt. 

Gathering information about the router for AutoSecure 

Is this router connected to internet? [no]: no 

Securing Management plane services... 

Disabling service finger 
Disabling service pad 
Disabling udp & tcp small servers 
Enabling service password encryption 
Enabling service tcp-keepalives-in 
Enabling service tcp-keepalives-out 



Disabling the cdp protocol 


Disabling the bootp server 
Disabling the http server 
Disabling the finger service 
Disabling source routing 
Disabling gratuitous arp 

Here is a sample Security Banner to be shown 
at every access to device. Modify it to suit your 
enterprise requirements. 

Authorized Access only 

This system is the property of So-&-So-Enterprise. 
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. 
You must have explicit permission to access this 
device. All activities performed on this device 
are logged. Any violations of access policy will result 
in disciplinary action. 

Enter the security banner {Put the banner between 
k and k, where k is any character}: 

# 

This is the CCNA Security Auto Secure Lab 
# 

Enable secret is either not configured or 
is the same as enable password 
Enterthe new enable secret: ******** 

Confirm the enable secret : ******** 

Enterthe new enable password: ******** 

Confirm the enable password: ******** 

Configuring AAA local authentication 
Configuring Console, Aux and VTY lines for 
local authentication, exec-timeout, and transport 
Securing device against Login Attacks 



Configure the following parameters 


Blocking Period when Login Attack detected: 60 

Maximum Login failures with the device: 2 

Maximum time period for crossing the failed login attempts: 30 

Configure SSH server? [yes]: no 

Configuring interface specific AutoSecure services 
Disabling the following ip services on all interfaces: 

no ip redirects 
no ip proxy-arp 
no ip unreachables 
no ip directed-broadcast 
no ip mask-reply 

Disabling mop on Ethernet interfaces 

This is the configuration generated: 

no service finger 
no service pad 

no service udp-small-servers 

no service tcp-small-servers 

service password-encryption 

service tcp-keepalives-in 

service tcp-keepalives-out 

no cdp run 

no ip bootp server 

no ip http server 

no ip finger 

no ip source-route 

no ip gratuitous-arps 



no ip identd 
banner motd A C 

This is the CCNA Security Auto Secure Lab 

security passwords min-length 6 
security authentication failure rate 10 log 
enable secret 5 $l$KqCV$PKI46q2v5RLX6tjl9aaxEl 
enable password 7 094F471A1A0A14110209 
aaa new-model 

aaa authentication login local_auth local 
line con 0 

login authentication local_auth 
exec-timeout 5 0 
transport output telnet 
line aux 0 

login authentication local_auth 
exec-timeout 10 0 
transport output telnet 
line vty 0 4 

login authentication local_auth 

transport input telnet 

login block-for 60 attempts 2 within 30 

service timestamps debug datetime msec localtime show-timezone 

service timestamps log datetime msec localtime show-timezone 

logging facility local2 

logging trap debugging 

service sequence-numbers 

logging console critical 

logging buffered 

interface FastEthernetO/O 

no ip redirects 

no ip proxy-arp 

no ip unreachables 

no ip directed-broadcast 

no ip mask-reply 



no mop enabled 
interface SerialO/O 
no ip redirects 
no ip proxy-arp 
no ip unreachables 
no ip directed-broadcast 
no ip mask-reply 
! 

end 


Apply this configuration to running-config? [yes]: yes 


Applying the config generated to running-config 


Rl# 

Task 3: 

Rl(config)#security passwords min-length 8 
Rl(config)#security authentication failure rate 2 log 

Rl(config)#exit 

Rl# 

Lab 16 Configurations 
Rl Configuration 

Rl#show running-config 
Building configuration... 

Current configuration : 3406 bytes 
! 

version 12.4 
no service pad 
service tcp-keepalives-in 
service tcp-keepalives-out 

service timestamps debug datetime msec localtime show-timezone 
service timestamps log datetime msec localtime show-timezone 



service password-encryption 
service sequence-numbers 
! 

hostname R1 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 

security authentication failure rate 2 log 
security passwords min-length 8 
logging buffered 4096 
logging console critical 

enable secret 5 $l$KqCV$PKI46q2v5RLX6tjl9aaxEl 
enable password 7 094F471A1A0A14110209 
! 

aaa new-model 
! 

! 

aaa authentication login local_auth local 
! 

! 

aaa session-id common 
no network-clock-participate slot 1 
no network-clock-participate wic 0 
no ip source-route 
no ip gratuitous-arps 
ip cef 
! 

! 

! 

! 

no ip bootp server 

login block-for 60 attempts 2 within 30 

i 


multilink bundle-name authenticated 



crypto pki trustpoint TP-self-signed-533650306 
enrollment selfsigned 

subject-name cn=IOS-Self-Signed-Certificate-533650306 
revocation-check none 
rsakeypair TP-self-signed-533650306 
! 

! 

crypto pki certificate chain TP-self-signed-533650306 
certificate self-signed 01 

30820238 308201A1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
69666963 6174652D 35333336 35303330 36301E17 0D303230 33303130 31303335 
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 33363530 
33303630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
A10043E2 FB10C1D1 BA18F3AD 554F081C ACA14F4C EA48E0C1 4739653D B7759EE7 
8EB29881 7F391723 E2BB7EC6 54EB6F25 B4E94520 DF8DA15C 3B9E6F7C 3AA57549 
80AB643F A9427071 965DD56A 2D3E60CE 775F2ED5 C9014FCD F313F3EB B5189F62 
09F461BC 32E3E78F F93C8B07 0740DDA8 7B880D1B A3185787 CE621B35 3511A9D5 
02030100 01A36230 60300F06 03551D13 0101FF04 05300301 01FF300D 0603551D 
11040630 04820252 31301F06 03551D23 04183016 8014CD63 D2C471B7 ABA4ACF9 
C2B6020D 4A895471 C7F9301D 0603551D 0E041604 14CD63D2 C471B7AB A4ACF9C2 
B6020D4A 895471C7 F9300D06 092A8648 86F70D01 01040500 03818100 6BE0FD98 
BECODCDD AA6E3059 44434A63 DECC9224 22D81B23 35A29E70 74C17E92 14001495 
9E01FEA1 373EB386 9A046E56 14910BC5 05671798 869B8753 96E711EA E51B8908 
130D9B62 52F21D30 02B4C8AE FBB2919E 14815B80 E1C2FB39 97FEC0C2 190CAC10 
DD5CB1E3 EE8724A7 9A256D79 11855629 06428889 E237A7B9 D2808A50 
quit 

! 

! 

archive 
log config 
logging enable 



hidekeys 


! 

! 

! 

! 

! 

! 

! 

interface FastEthernetO/O 
no ip address 
no ip redirects 
no ip unreachables 
no ip proxy-arp 
duplex auto 
speed auto 
no mop enabled 
! 

interface SerialO/O 

ip address 10.1.1.1 255.255.255.252 
no ip redirects 
no ip unreachables 
no ip proxy-arp 
! 

ip forward-protocoI nd 
! 

! 

no ip http server 
ip http secure-server 
! 

! 

logging trap debugging 
logging facility local2 
no cdp run 
! 
i 



control-plane 


banner motd A C 

This is the CCNA Security Auto Secure Lab 

! 

line con 0 

exec-timeout 5 0 

login authentication local_auth 

transport output telnet 

line aux 0 

login authentication local_auth 
transport output telnet 
line vty 0 4 
privilege level 15 
password 7 094F471A1A0A 
login authentication local_auth 
transport input telnet 
! 

! 

end 


<< previous lab | CCNA Security Labs | next lab >> 


© 2006-2011 HowtoNetwork.net All Rights Reserved. Reproduction without permission prohibited. 


